According to the company Avast in the first half of 2021, the DirtyMoe botnet (aka PurpleFox, Perkiler, and NuggetPhantom), which at the end of last year had about 10,000 infected machines, increased dramatically in size, and now we are talking about 100,000 affected systems.
DirtyMoe has been active since 2017 and all this time its main goal has been to infect Windows systems for the purpose of hidden cryptocurrency mining, although the malware also has the function of launching DDoS attacks, which appeared back in 2018.
Typically, malware is spread using spam, which lures users to malicious sites hosting a set of PurpleFox exploits (1, 2, 3, 4). It exploits various browser vulnerabilities (usually Internet Explorer) to install a Windows rootkit, which gives the malware full control over the infected host that it uses for mining.
Avast reports that from 2017 to 2020, the DirtyMoe botnet included from several hundred to several thousand infected systems, but recently the situation has changed dramatically. At the end of 2020, DirtyMoe operators equipped their malware worm module, which allows it to spread itself via the Internet to other vulnerable machines. This module scans the network and automatically performs brute force attacks on remote computers that have left their SMB port open.
This module allowed the malware to dramatically increase the number of infections, and this year alone, more than 100,000 systems were infected. Moreover, this statistics is based on Avast data, that is, it was collected only from those machines where the company’s antivirus is installed. The actual size of the DirtyMoe botnet is likely much larger.